Security Research
Showing results for 
Search instead for 
Do you mean 

Picking up the pace: A new 120-day disclosure window

Shannon_Sabens on ‎02-26-2014 12:15 PM

In the coming year, the Zero Day Initiative will be ten years old.  It is the most mature vulnerability bug bounty program around…

It would be easy to be complacent: We love what we do. We work with brilliant researchers. Our work contributes to great products and a more secure enterprise computing landscape… We are very proud of that.  And yet, when one starts thinking this way, isn’t is also time for a change?  We looked, and will continue to look, at ways to make our program better.  One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline.

In a presentation at RSA today, we announced that vendors are asked to develop a fix for a reported vulnerability within 120 days of receiving our product vulnerability report. This begins with reports received on or after March 1.  Historically, we have requested that vendors work to develop a fix for the reported product vulnerability, within 180 days of receiving our product vulnerability report.


Why change?
Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster.  We know the public is already at risk. The vulnerabilities exist.  Researchers, white hats - and black hats - are actively looking for them every day.


Is this realistic for large vendors?
The evidence is, absolutely!  They are actually responding in closer to 120 days already.  It seems that we have grown together…


In 2010:
• ZDI was publishing around 100 vulnerabilities a year
• 30% of them were > 365 days
• To address sluggish or non-existent response by vendors, the ZDI instituted a 180-day public disclosure policy

In 2011:
• Every one of the “Top 10” vendors had at least 1 vulnerability >180 days

In 2013:
• Only 6 vendors had 1+ vulnerability > 180 days
• 5 vendors averaged > 120 days
• Only 2 averaged > 180 days

Overall, vendor timelines are greatly reduced.  We thank these vendor partners for their increased commitment to secure coding and regular patching.  We look forward to continuous growth and improvement together.

About the Author


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
1-3 December 2015
Discover 2015 London
Discover 2015 in London, the ultimate showcase technology event for business and IT professionals to learn, connect, and grow.
Read more
November 2015
Software Online Expert Days
Join us online to talk directly with our Software experts.
Read more
View all